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DETAILED ACTION 
Claim Rejections - 35 USC §102 

1. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was pui)lished under Article 21(2) of such treaty in the English language. 

2. Claims 1-36 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Malan(2002/0032871). 

3. As per claim 1, Malan et al. discloses detecting scanning attacks[i.e. Dos attacks, 0028, 
0057], adding host-pair connection records to a connection table each time a host accesses 
another host[0084]; at the end of a short update period, accessing the connection table to 
determine new host pairs; determining the number of new host pairs added to the table over the 
update period; and if a host has made more than a first threshold number "CI" host pairs, and the 
number of host pairs in the profile is smaller than the threshold number by a first factor value 
"C2", then indicating to a console that the new host is a scanner[0031, 0037, 0067, 0084]. 

4. As per claim 2, Malan discloses wherein "CI" and "C2" are adjustable thresholds[0084]. 

5. As per claim 3, Malan discloses wherein the connection table is a current time-slice 
connection table and host pair records are added to the current time slice connection table[0083- 
0084]. 

6. As per claim 4, Malan discloses aggregating records fi-om the current time-slice table into 
a long update period table; and checking for ping scans at the end of a long update period; and 
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indicating hosts which produced more than "C3" new host pairs over the long update 
period[0029, 0032-0033, 0084]. 

7. As per claim 5, Malan discloses at the end of the long update period, accessing the long 
update connection table to determine new host pairs that the process had not determined before 
in the profile; determining the number of new host pairs added to the table over the long update 
period; and if a host has made more than a first threshold number "C4" host pairs, and the 
number of host pairs in the profile is smaller than the threshold number by a first factor value 
"C5", then indicating the new host as a scanner[0083-0084]. 

8. As per claim 6, Malan discloses maintaining Address Resolution Protocol (ARP) packet 
statistics in the connection table and for sparse subnets tracking the number of generated ARP 
requests that do not receive responses to detect scans on sparse sub-networks[008 1-0082]. 

9. As per claim 7, Malan discloses wherein the scanning attack is a ping scanning 
attack[0081]. 

10. As per claim 8, Malan discloses detecting port scanning attacks, the method includes 
retrieving fi-om a connection table logged values of protocols and ports used for host pair 
connections in the table[0042-0043, 0045]; determining if the number of ports used in the 
historical profile is considerably smaller by a factor "CI " than a current number of ports being 
scanned by a host and the current number is greater than a lower-bound threshold "C2", to record 
the anomaly; and reporting a port scan to a console[0067-0068]. 

11. As per claim 9, Malan discloses assigning a severity level to the port scan and reporting 
the severity level of the port scan[0069]. 
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12. As per claim 10, Malan discloses wherein the reported severity varies as a function of the 
deviation from historical norm[0068-0069]. 

13. As per claim 11, Malan discloses determining from the connection table statistics about 
TCP reset (RST) packets and ICMP port-unreachable packets to detect a spike in the number of 
RST packets and ICMP port-unreachable packets relative to the profile to increase the severity of 
a port scan event[0081-0083]. 

14. As per claim 12, Malan discloses wherein determining occurs at the end of short update 
periods to detect normal scans[0084]. 

15. As per claim 13, Malan discloses wherein determining occurs at the end of long update 
periods to detect stealthy scans[0084]. 

16. As per claim 14, Malan discloses add host-pair connection records to a connection table 
each time a host accesses another host, at the end of a short update period, accessing the 
connection table to determine new host pairs; determine the number of new host pairs added to 
the table over the update period; and if a host has made more than a first threshold number "CT' 
host pairs, and the number of host pairs in the profile is smaller than the threshold number by a 
first factor value "C2", then indicate to a console that the new host is a scanner[0083-0084]. 

17. As per claims 15, 25, 29, Malan discloses wherein "CI" and "C2" are adjustable 
thresholds[0084]. 

18. As per claims 16, 26, 30, Malan discloses wherein the connection table is a current time- 
slice connection table and host pair records are added to the current time slice connection 
table[0037, 0083-0084]. 
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19. As per claims 17, 27, 31, Malan discloses aggregate records from the current time-slice 
table into a long update period table; check for ping scans at the end of a long update period; and 
indicate hosts which produced more than "C3" new host pairs over the long update period[0029, 
0032-0033, 0084]. 

20. As per claims 18, 32, Malan discloses access the long update connection table at the end 
of the long update period; determine the number of new host pairs added to the table over the 
long update period; and if a host has made more than a first threshold number "C4" host pairs, 
and the number of host pairs in the profile is smaller than the threshold number by a first factor 
value "C5", then indicate the new host as a scanner[0067-0068, 0083-0084]. 

21 . As per claim 19, Malan discloses maintain Address Resolution Protocol (ARP) packet 
statistics in the connection table; and track the number of generated ARP requests that do not 
receive responses to detect scans on sparse sub-networks[008 1-0082]. 

22. As per claims 20, 33, Malan discloses causing a processor to: retrieve from a connection 
table logged values of protocols and ports used for host pair connections in the table[0042-0043, 
0045]; determine if the number of ports used in the historical profile is considerably smaller by a 
factor "CI" than a current number of ports being scanned by a host and the current number is 
greater than a lower-bound threshold "C2", to record the anomaly; and report a port scan to a 
console[0067-0068]. 

23. As per claims 21, 34, Malan discloses assign a severity level to the port scan and report 
the severity level of the port scan[0069]. 

24. As per claims 22, 35, Malan discloses wherein the reported severity varies as a fimction 
of the deviation from historical norm[0068-0069]. 
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25. As per claims 23, 36, Malan discloses determine from the connection table statistics 
about TCP reset (RST) packets and ICMP port-unreachable packets to detect a spike in the 
number of RST packets and ICMP port-unreachable packets relative to the profile to increase the 
severity of a port scan event[0081-0083]. 

26. As per claims 24, 28, Malan discloses circuitry to add host-pair connection records to a 
connection table each time a host accesses another host, iat the end of a short update period, 
accessing the connection table to determine new host pairs; circuitry to determine the number of 
new host pairs added to the table over the update period; and if a host has made more than a first 
threshold number "CI" host pairs, and the number of host pairs in the profile is smaller than the 
threshold number by a first factor value "C2", then circuitry to indicate to a console that the new 
host is a scanner[0067-0068, 0083-0084], 

Conclusion 

Any inquiry conceming this communication or earlier communications firom the 
examiner should be directed to Jenise E. Jackson whose telephone number is (571) 272-3791. 
The examiner can normally be reached on M-Th (6:00 a.m. - 3:30 p.m.) alternate Friday's. 

If attempts to reach the examiner by telephone are unsuccessfiil, the examiner's 
supervisor, Ayaz Sheikh can be reached on (571) 272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpubUshed 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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